What Is Purple Team Security → OWASP Top 10 mapped to cloud infrastructure → Cloud security breaches 2020–2025
TL;DR
- Purple team security is the practice of combining offensive (red) and defensive (blue) work in the same exercise — attackers simulate real techniques while defenders tune detection in real time
- Traditional red team engagements produce a report; purple team produces a faster MTTD (mean time to detect)
- The structural output is not a findings list — it’s updated detection rules, tested playbooks, and a measured detection baseline
- Purple team is not a permanent headcount; it is a cadence of exercises run against your own infrastructure
- Every episode in this series follows the red-blue-purple model: attack simulation → detection → structural fix
OWASP Mapping: This episode establishes the series methodology. No single OWASP category. Subsequent episodes map directly to A01 through A10.
The Big Picture
┌─────────────────────────────────────────────────────────────────┐
│ PURPLE TEAM MODEL │
│ │
│ RED TEAM BLUE TEAM │
│ (Offensive) (Defensive) │
│ │
│ ┌──────────┐ ┌──────────┐ │
│ │ Simulate │──── attack ──▶│ Detect │ │
│ │ attack │ │ alert │ │
│ └──────────┘ └──────────┘ │
│ │ │ │
│ └──────────┬───────────────┘ │
│ │ │
│ ┌─────▼──────┐ │
│ │ DEBRIEF │ ← The purple layer │
│ │ What fired?│ │
│ │ What didn't│ │
│ │ Why? │ │
│ └─────┬──────┘ │
│ │ │
│ ┌──────────▼──────────┐ │
│ │ Updated detection │ │
│ │ rules + playbooks │ │
│ └─────────────────────┘ │
│ │
│ OUTCOME: Detection time drops exercise-over-exercise │
└─────────────────────────────────────────────────────────────────┘
What is purple team security? It is the structured practice of attacking your own infrastructure — with full visibility on both sides — so that detection logic improves after every exercise, not just after a real breach.
Why Red vs. Blue Alone Fails
Eleven days.
That was how long an attacker had access before my blue team detected the compromise in a red team engagement I ran two years ago. It was a standard authorized engagement — well-scoped, realistic techniques, no shortcuts. The red team was good. The blue team was experienced. And still: eleven days.
The debrief was the turning point. The red team had used techniques that generated logs — CloudTrail entries, VPC Flow Log anomalies, process spawn events. The blue team had the data. The detections just weren’t tuned for these specific patterns. Nobody had ever run the techniques against this specific environment and verified whether the alerts fired.
We restructured the next exercise as a purple team exercise. Same attacker techniques. But this time, the blue team was in the room with the red team. They watched each technique execute in real time. They checked whether the alert fired. When it didn’t, they wrote the detection rule on the spot and verified it before moving to the next technique.
Detection time in the following exercise: four hours.
That is the entire argument for purple team security. Not philosophy. Not org charts. Eleven days versus four hours.
What Red Team Alone Gets Wrong
Traditional red team engagements produce a report with findings. The findings describe what the attacker did. The recommendations describe what to fix. Then the report goes to a remediation queue, the org closes the tickets over three months, and the detection logic is never tested.
The fundamental problem: a red team report tells you what happened; it doesn’t tell you whether your detection would catch it happening again.
The MITRE ATT&CK framework lists over 400 techniques. An annual red team engagement tests maybe 20 of them against your environment. You get a PDF. You don’t get a detection baseline.
Red team alone also creates adversarial dynamics inside the organization. Red team wins when they’re not caught. Blue team wins when they catch everything. These goals are structurally opposed, which means neither team has an incentive to share information that would help the other.
What Blue Team Alone Gets Wrong
Blue team without red team input is writing detection rules in the abstract. They tune alerts based on what they think an attacker would do, not what an attacker actually does against your specific environment with your specific tooling.
Signature-based detection catches known-bad. Behavioral detection catches anomalies. Neither catches a sophisticated attacker who has studied your baseline — unless you’ve explicitly tested whether the behavior that attacker uses registers as an anomaly in your environment.
Blue teams also tend toward alert fatigue. When everything fires, nothing gets investigated. Tuning requires knowing which signals correspond to real techniques, and that knowledge only comes from running the techniques.
The Purple Team Model: How It Actually Works
Purple team security is not a permanent team structure. You don’t hire a purple team. You run purple team exercises.
The exercise structure:
1. SCOPE — agree on the attack scenario (e.g., "compromised developer credentials")
2. RED EXECUTES — red team runs the first technique in the scenario
3. BLUE OBSERVES — blue team watches for the alert; records: fired / not fired / noisy
4. DEBRIEF — immediate, technique by technique. Why didn't it fire? What data existed?
5. TUNE — blue team updates detection rule. Red team re-runs. Verify it fires.
6. NEXT TECHNIQUE — repeat for every technique in the scenario
7. MEASURE — record detection rate and detection time at the end of the exercise
The output of a purple team exercise is not a PDF. It is:
– Updated detection rules (tested and verified)
– A measured detection time for each technique
– A documented attack scenario with the specific commands used
– A baseline for the next exercise to beat
This is what “purple” means: the red and blue work together, in the same room or on the same call, producing improved defense as a direct output of the attack simulation.
The MITRE ATT&CK Scaffolding
Every purple team exercise is anchored to ATT&CK techniques. ATT&CK provides the shared vocabulary: red team uses technique T1078 (Valid Accounts), blue team knows which data sources detect T1078, and the exercise verifies whether those detections are actually implemented and tuned.
MITRE ATT&CK Technique
│
├── Tactic: Initial Access / Persistence / Lateral Movement / ...
├── Data Sources: CloudTrail, Process events, Network traffic, ...
├── Detection: What behavioral indicator to look for
└── Mitigations: What configuration change prevents or limits it
When you scope a purple team exercise using ATT&CK, you get explicit coverage tracking. After six exercises, you can report: “We have verified detections for 47 of the 112 techniques most relevant to our threat model. These 65 are not yet covered.”
That is a measurable security posture improvement. It is auditable. It is repeatable.
Where OWASP Fits in This Series
This series uses OWASP Top 10 (2021) as the threat taxonomy, not ATT&CK. The reason: OWASP Top 10 maps directly to the classes of vulnerability that caused the major breaches between 2020 and 2025 — and it is familiar to the developers and architects who need to remediate them.
The next episode maps every OWASP Top 10 category to its cloud and Kubernetes infrastructure equivalent. Most engineers think OWASP applies only to web applications. It doesn’t. Broken Access Control (A01) is the S3 bucket that’s public when it shouldn’t be. Cryptographic Failures (A02) is the environment variable with a plaintext database password committed to GitHub. Injection (A03) is the SSRF that hits the EC2 metadata endpoint.
The framing shifts. The categories don’t.
Red Phase Primer: How Attack Simulations Work in This Series
Every episode from EP04 onward follows this structure:
Red phase — the technique the attacker uses, with the actual commands. Not “the attacker exploited misconfigured IAM.” The actual aws CLI command or kubectl invocation that demonstrates the technique. Commands are safe for authorized use in your own environment or a test account.
Blue phase — what detection looks like. The CloudTrail event, the GuardDuty finding, the Falco rule, the SIEM query. If it doesn’t fire by default, the episode says so explicitly — and shows you how to make it fire.
Purple phase — the structural fix. Not “train your developers to be more careful.” The IAM policy, the SCPs, the network control, the pre-commit hook. The thing that makes the vulnerability not exist, not the thing that makes humans try harder to avoid it.
Run This in Your Own Environment: Baseline Your Current Detection Coverage
Before EP02, establish a detection baseline. This tells you where you start, so later exercises have a number to beat.
aws guardduty list-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-criteria '{
"Criterion": {
"updatedAt": {
"GreaterThanOrEqual": '$(date -d '30 days ago' +%s000)'
}
}
}' \
--query 'FindingIds' --output text | \
xargs -n 50 aws guardduty get-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-ids | \
jq '.Findings[] | {type: .Type, severity: .Severity, count: 1}' | \
jq -s 'group_by(.type) | map({type: .[0].type, count: length})'
# Check if CloudTrail is enabled and logging management events
aws cloudtrail describe-trails --query 'trailList[].{Name:Name,MultiRegion:IsMultiRegionTrail,LoggingEnabled:HasCustomEventSelectors}' --output table
# Check if S3 server access logging is enabled on all buckets
aws s3api list-buckets --query 'Buckets[].Name' --output text | \
tr '\t' '\n' | \
while read bucket; do
logging=$(aws s3api get-bucket-logging --bucket "$bucket" 2>/dev/null)
if [ -z "$logging" ] || echo "$logging" | grep -q '{}'; then
echo "NO LOGGING: $bucket"
else
echo "LOGGING OK: $bucket"
fi
done
Record your current findings count by category and the number of buckets without logging. These are your pre-exercise baselines.
⚠ Common Mistakes When Starting a Purple Team Practice
Running it as an annual event. One purple team exercise per year produces a report. Monthly exercises with 3–5 techniques each produce measurable improvement in detection time. Frequency is the variable.
Letting red and blue work in separate rooms. The purple layer is the debrief. If red sends a report and blue reads it later, you’ve just done a red team engagement. The real-time shared observation is what generates the immediate detection improvement.
Measuring success as “how many vulnerabilities were found.” The right metric is detection time per technique and detection coverage across your ATT&CK or OWASP matrix. Vulnerabilities found is an output of the exercise; faster detection is the outcome.
Starting with sophisticated techniques. The first exercise should test basics: credential access, S3 enumeration, IAM privilege escalation attempts. These generate straightforward logs in CloudTrail. If your detection doesn’t catch these, it won’t catch the sophisticated stuff either. Start where the coverage gaps are most embarrassing.
No documentation of the exercise environment state. If you tune a detection rule during an exercise and then a Terraform change overwrites the policy, you’ve lost the improvement. All detection changes from exercises go through version control immediately.
Quick Reference
| Term | Definition |
|---|---|
| Purple team security | Practice of combined red/blue exercises where both teams improve detection together |
| MTTD | Mean Time to Detect — the primary metric purple team exercises reduce |
| ATT&CK | MITRE framework mapping adversary techniques to data sources and detections |
| Red phase | Attacker perspective: simulate the technique with real commands |
| Blue phase | Defender perspective: what detection fires (or doesn’t) |
| Purple phase | The joint debrief and immediate detection tuning that makes both better |
| Detection baseline | Measured MTTD and technique coverage before the first exercise |
| OWASP Top 10 | Threat taxonomy used in this series — applies to infrastructure, not just web apps |
Key Takeaways
- Purple team security is a practice, not a team: structured exercises where red attacks and blue detects in real time, with joint debrief producing updated detection rules
- The metric that matters is detection time per technique — not findings count
- Red team alone produces a report; purple team produces a faster MTTD and tested detection coverage
- MITRE ATT&CK provides the technique vocabulary; OWASP Top 10 provides the vulnerability taxonomy this series uses
- Every major cloud breach 2020–2025 maps to an OWASP category — those categories are the exercise backlog for any cloud-running organization
- Detection improvements from exercises must be version-controlled immediately or they disappear with the next infrastructure change
- Frequency of exercises is the primary driver of improvement — monthly beats annual by an order of magnitude
What’s Next
EP02 maps every OWASP Top 10 category to its cloud infrastructure equivalent. Most engineers treat OWASP as a web application concern. The cloud security breaches from 2020 to 2025 tell a different story: the S3 bucket that became public is A01; the CI/CD pipeline secret is A08; the SSRF to EC2 metadata is A10. The taxonomy was always infrastructure-applicable. EP02 makes that mapping explicit — with the cloud-native equivalent, the real breach that demonstrates it, and the detection query to run.
Get EP02 in your inbox when it publishes → subscribe at linuxcent.com